深海游弋的鱼 – 第 50 页 – 智障儿童欢乐多

集成华为HMS debug/release 修改包名，取不同包名下的agconnect-services.json 文件

debug/release 修改包名，取不同包名下的agconnect-services.json 文件 V2 解决每次更换包名，都是要手动删除agconnect-services.json文件操作

问题描述

集成华为HMS Core/Push在打多渠道包的时候，我需要区分debug版本，release版本，其中涉及到包名的不同，我使用release编译的时候，发现如下错误信息。这个原因是因为你的agconnect-services文件里面含有一个 package_name 参数，这个参数是需要指定包名的，如果 package_name 填写的报名，和目前你所使用的包名没有对应上就会出现这样的错误

修改过程中遇到的错误信息

* What went wrong:
Execution failed for task ':app:processDebugAGCPlugin'.
> ERROR: Failed to verify AGConnect-Config '/client/package_name', expected: 'com.gxx.fast', but was: 'com.gxx.fast.debug'

* What went wrong:

Execution failed for task ':app:processDebugAGCPlugin'.

> ERROR: Failed to verify AGConnect-Config '/client/package_name', expected: 'com.gxx.fast', but was: 'com.gxx.fast.debug'

不是很完美的解决问题

既然是需要区分包名的，我不如直接copy 2份出来，放到src下面，并新建一个类 pushservices 里面存放 debug/release 的类并存放 agconnect-services.json文件，这样我们想使用哪个版本的，就使用哪个版本的

继续阅读集成华为HMS debug/release 修改包名，取不同包名下的agconnect-services.json 文件

Android Studio使用gradle实现资源自动拷贝

把下面的代码拷贝到app的gradle.build文件内

android.applicationVariants.all{ variant ->
    delete "${buildDir}/intermediates/merged_assets/${variant.dirName}"  // buildDir是app下的build目录
    variant.mergeAssets.doLast{
        def sourceDir = "${buildDir}/../"   // 资源存放目录，这里是app下
        print "${buildDir} \n"  // 打印路径
        copy { // 将from目录下的资源拷贝到into 下目录去
            from "${sourceDir}/fromDir"
            into "${outputDir}/res"
        }
    }
}

android.applicationVariants.all{ variant ->

delete "${buildDir}/intermediates/merged_assets/${variant.dirName}" // buildDir是app下的build目录

variant.mergeAssets.doLast{

def sourceDir = "${buildDir}/../" // 资源存放目录，这里是app下

print "${buildDir} \n" // 打印路径

copy { // 将from目录下的资源拷贝到into 下目录去

from "${sourceDir}/fromDir"

into "${outputDir}/res"

}

继续阅读Android Studio使用gradle实现资源自动拷贝

使用pip安装模块时提示：No module named pip

系统输入cmd：
windows 解决方法：

python -m ensurepip

1	python -m ensurepip

升级pip版本:

pip install --upgrade pip

1	pip install --upgrade pip

linux解决方法：

$ python -m ensurepip

$ sudo easy_install pip

$ python -m pip install --upgrade pip

$ python -m ensurepip

$ sudo easy_install pip

$ python -m pip install --upgrade pip

参考链接

使用pip安装模块时提示： No module named pip

Windows泄露文件目录分析

1）种子链接：https://itorrents.org/torrent/3D8B16242B56A3AAFB8DA7B5FC83EF993EBCF35B.torrent?title=[limetorrents.info]Microsoft.leaked.source.code.archive_2020-09-24（你不会想用手敲吧？）也可本地下载

看了下大小是42.93GB（应该是对的~）

继续阅读Windows泄露文件目录分析

Android开源VPN客户端之ICS OpenVPN

1. 简介

Android API level 14+提供了VPNService服务框架，在不root的情况下，开发者可以创建自己的VPN服务应用。
目前主要有三种，分别为OpenVPN for Android（ICS OpenVPN），OpenVPN Connect，OpenVPN Settings。

OpenVPN for Android和OpenVPN Connect使用官方VPNService API (Android 4.0+)，不需要root权限，而OpenVPN Settings需要root权限。
OpenVPN for Android是一个开源的客户端，由Arne Schwabe开发，他定位于更高级的用户，提供更多的设置，它可以在app内导入配置文件。
OpenVPN Connect是一个不开源的客户端，它由OpenVPN Technologies , Inc. 开发，它定位于普通用户，它基于OpenVPN协议的C++实现。
OpenVPN Settings是最老的客户端，需要root权限，它并不使用VPNService API。

2. 编译OpenVPN for Android

2.1 开发环境搭建

Ubuntu16，Android Studio，NDK，SDK
首先在Ubuntu下安装Android studio，安装完毕后，使用sdk manager工具安装sdk。
关于NDK，可以使用sdk manager来下载，不过在编译源码的过程中出现了错误，经过尝试发现sdk manager下载的是14版本的ndk，而14版本的ndk编译OpenVPN for Android会出现错误，建议使用12版本的ndk。

2.2 配置环境变量

安装完Android studio，解压完ndk后，需要配置环境变量。

~/android-studio/bin Android studio安装目录
~/Android/android-ndk-r12b ndk解压目录

1 2	~/android-studio/bin Android studio安装目录 ~/Android/android-ndk-r12b ndk解压目录

进入用户目录（cd /home/bleach），打开配置文件（vim .bashrc），添加如下内容：

export PATH=$PATH:~/android-studio/bin:~/Android/android-ndk-r12b

1	export PATH=$PATH:~/android-studio/bin:~/Android/android-ndk-r12b

2.3 获取OpenVPN for Android源码

打开搜索引擎，输入ics openvpn，进行搜索，然后进入ics openvpn的github主页，选择master分支里的一个已经添加标签的版本，本文选择的是0.6.64版本的源码。

进入Ubuntu命令行，创建一个源码目录，然后使用git clone命令将源码下载到本地。

$ mkdir ics-openvpn-v0.6.64

$ cd ics-openvpn-v0.6.64

$ git clone https://github.com/schwabe/ics-openvpn.git

$ mkdir ics-openvpn-v0.6.64

$ cd ics-openvpn-v0.6.64

$ git clone https://github.com/schwabe/ics-openvpn.git

2.4 编译源码

step1：进入ics-openvpn-v0.6.64/ics-openvpn目录，修改.gitmodules文件。

$ cd ics-openvpn-v0.6.64/ics-openvpn

$ ls –a

$ vim .gitmodules

$ cd ics-openvpn-v0.6.64/ics-openvpn

$ ls –a

$ vim .gitmodules

将.gitmodules文件中的url更改掉。

[submodule "main/openvpn"]
path = main/openvpn
url = https://github.com/schwabe/openvpn.git

[submodule "main/openssl"]
path = main/openssl
url = https://github.com/schwabe/platform_external_openssl.git

[submodule "main/breakpad"]
path = main/breakpad
url = https://github.com/schwabe/breakpad.git

[submodule "main/openvpn"]

path = main/openvpn

url = https://github.com/schwabe/openvpn.git

[submodule "main/openssl"]

path = main/openssl

url = https://github.com/schwabe/platform_external_openssl.git

[submodule "main/breakpad"]

path = main/breakpad

url = https://github.com/schwabe/breakpad.git

step2：执行指令

$ git submodule sync

1	$ git submodule sync

step3：然后执行指令

$ git submodule init

1	$ git submodule init

step4：然后执行指令

$ git submodule update

1	$ git submodule update

upate指令会消耗一定的时间。
step5：最后进入ics-openvpn-v0.6.64/ics-openvpn/main目录，执行./misc/build-native.sh，等待编译完成，可能需要修改build-native.sh的执行权限。

$ cd main

$ chmod +x ./mics/build-native.sh

$ ./misc/build-native.sh

$ cd main

$ chmod +x ./mics/build-native.sh

$ ./misc/build-native.sh

3. 编译常见问题

3.1 ndk-build not found

未配置ndk环境变量，请参考2.2。

3.2 各种编译错误，比如unknown directive。

很有可能是ndk版本的问题，请使用12版本的ndk尝试编译。

3.3 cannot find .git directory in openvpn,aborting

不要在github上下载zip包的源码，请使用git clone指令将源码下载到本地。

4. 导入源码

将源码导入到Android studio中，目前OpenVPN for Android不支持导入到eclipse中，请使用Android studio开发环境。
打开Android studio，将源码导入，Android studio会自动更新gradle信息，更新完毕后，编译工程，就会生成对应apk包。

参考链接

Android开源VPN客户端之ICS OpenVPN

Java 实现TLS/SSL证书的自动安装校验

前言

最近实现Socks5 proxy与HTTP proxy中遇到了SSLSocket隧道的问题，当然，最终问题经过自动证书校验安装管理器实现了证书的管理，也解决了SSLSocket，但是目前的问题是浏览器对Socks5和HTTP proxy还有很多不足，目前实现的两个代理工具只能在程序中使用。当然，我们今天的主要话题如下：

Java 实现TLS/SSL证书的自动安装校验，主要经过ssl/tls握手，密钥交换，证书校验机制实现。我们这里模拟浏览器，实现自动校验和证书的检测。

主要实现如下功能：

1.自动检测，校验根证书，校验过期时间，校验签名的证书是否有效，校验证书和域名是否匹配

2.实现证书的自动存储，自动安装，加载

3.实现普通Socket自动升级为SSLSocket

一.实现配置类

首先，我们先添加2个配置类

package com.ssl.rx.http;

import java.security.KeyStore;

public class ConnectionConfiguration {

	/** 证书文件路径 */
private String truststorePath;
	/** 证书类型 */
private String truststoreType;
	/** 证书文件密码 */
private String truststorePassword;
	/** 是否验证证书链的签名有效性 */
private boolean verifyChainEnabled = true;
	/** 是否校验根证书，注意，自签名证书没有根证书 */
private boolean verifyRootCAEnabled = true;
	/** 是否允许通过自签名证书 */
private boolean selfSignedCertificateEnabled = false;
	/** 是否检查证书的有效期 */
private boolean expiredCertificatesCheckEnabled = true;
	/** 检查域名的匹配情况 */
private boolean notMatchingDomainCheckEnabled = true;

	private String server;
	private int port;

	public ConnectionConfiguration() {
		truststorePassword = "WlZSak5GcFVUbTlsVjJSNg==";
		truststorePath = "socket_tls_clientTrust.cert";
		truststoreType = "jks";
	}

	public int getPort() {
		return port;
	}

	public void setPort(int port) {
		this.port = port;
	}

	public String getServer() {
		return server;
	}

	public void setServer(String server) {
		this.server = server;
	}

	public boolean isExpiredCertificatesCheckEnabled() {
		return expiredCertificatesCheckEnabled;
	}

	public void setSelfSignedCertificateEnabled(boolean selfSignedCertificateEnabled) {
		this.selfSignedCertificateEnabled = selfSignedCertificateEnabled;
	}

	public void setExpiredCertificatesCheckEnabled(boolean expiredCertificatesCheckEnabled) {
		this.expiredCertificatesCheckEnabled = expiredCertificatesCheckEnabled;
	}

	public boolean isSelfSignedCertificateEnabled() {
		return selfSignedCertificateEnabled;
	}

	public boolean isNotMatchingDomainCheckEnabled() {
		return notMatchingDomainCheckEnabled;
	}

	public boolean isVerifyRootCAEnabled() {
		return verifyRootCAEnabled;
	}

	public void setVerifyRootCAEnabled(boolean verifyRootCAEnabled) {
		this.verifyRootCAEnabled = verifyRootCAEnabled;
	}

	public void setVerifyChainEnabled(boolean verifyChainEnabled) {
		this.verifyChainEnabled = verifyChainEnabled;
	}

	public boolean isVerifyChainEnabled() {

		return verifyChainEnabled;
	}

	public String getTruststoreType() {
		return truststoreType;
	}

	public void setTruststoreType(String truststoreType) {
		this.truststoreType = truststoreType;
	}

	public String getTruststorePassword() {
		return truststorePassword;
	}

	public void setTruststorePassword(String truststorePassword) {
		this.truststorePassword = truststorePassword;
	}

	public String getTruststorePath() {
		return truststorePath;
	}

	public void setTruststorePath(String truststorePath) {
		this.truststorePath = truststorePath;
	}

	public void setNotMatchingDomainCheckEnabled(boolean notMatchingDomainCheckEnabled) {
		this.notMatchingDomainCheckEnabled = notMatchingDomainCheckEnabled;
	}

}


然后增加一个用于存储keystore的javaBean

package com.ssl.rx.http;

public class KeyStoreOptions {
	private final String type;
	private final String path;
	private final String password;

	public KeyStoreOptions(String type, String path, String password) {
		super();
		this.type = type;
		this.path = path;
		this.password = password;
	}

	public String getType() {
		return type;
	}

	public String getPath() {
		return path;
	}

	public String getPassword() {
		return password;
	}

	@Override
public int hashCode() {
		final int prime = 31;
		int result = 1;
		result = prime * result + ((password == null) ? 0 : password.hashCode());
		result = prime * result + ((path == null) ? 0 : path.hashCode());
		result = prime * result + ((type == null) ? 0 : type.hashCode());
		return result;
	}

	@Override
public boolean equals(Object obj) {
		if (this == obj)
			return true;
		if (obj == null)
			return false;
		if (getClass() != obj.getClass())
			return false;
		KeyStoreOptions other = (KeyStoreOptions) obj;
		if (password == null) {
			if (other.password != null)
				return false;
		} else if (!password.equals(other.password))
			return false;
		if (path == null) {
			if (other.path != null)
				return false;
		} else if (!path.equals(other.path))
			return false;
		if (type == null) {
			if (other.type != null)
				return false;
		} else if (!type.equals(other.type))
			return false;
		return true;
	}
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

package com.ssl.rx.http;

import java.security.KeyStore;

public class ConnectionConfiguration {

/** 证书文件路径 */

private String truststorePath;

/** 证书类型 */

private String truststoreType;

/** 证书文件密码 */

private String truststorePassword;

/** 是否验证证书链的签名有效性 */

private boolean verifyChainEnabled = true;

/** 是否校验根证书，注意，自签名证书没有根证书 */

private boolean verifyRootCAEnabled = true;

/** 是否允许通过自签名证书 */

private boolean selfSignedCertificateEnabled = false;

/** 是否检查证书的有效期 */

private boolean expiredCertificatesCheckEnabled = true;

/** 检查域名的匹配情况 */

private boolean notMatchingDomainCheckEnabled = true;

private String server;

private int port;

public ConnectionConfiguration() {

truststorePassword = "WlZSak5GcFVUbTlsVjJSNg==";

truststorePath = "socket_tls_clientTrust.cert";

truststoreType = "jks";

}

public int getPort() {

return port;

}

public void setPort(int port) {

this.port = port;

}

public String getServer() {

return server;

}

public void setServer(String server) {

this.server = server;

}

public boolean isExpiredCertificatesCheckEnabled() {

return expiredCertificatesCheckEnabled;

}

public void setSelfSignedCertificateEnabled(boolean selfSignedCertificateEnabled) {

this.selfSignedCertificateEnabled = selfSignedCertificateEnabled;

}

public void setExpiredCertificatesCheckEnabled(boolean expiredCertificatesCheckEnabled) {

this.expiredCertificatesCheckEnabled = expiredCertificatesCheckEnabled;

}

public boolean isSelfSignedCertificateEnabled() {

return selfSignedCertificateEnabled;

}

public boolean isNotMatchingDomainCheckEnabled() {

return notMatchingDomainCheckEnabled;

}

public boolean isVerifyRootCAEnabled() {

return verifyRootCAEnabled;

}

public void setVerifyRootCAEnabled(boolean verifyRootCAEnabled) {

this.verifyRootCAEnabled = verifyRootCAEnabled;

}

public void setVerifyChainEnabled(boolean verifyChainEnabled) {

this.verifyChainEnabled = verifyChainEnabled;

}

public boolean isVerifyChainEnabled() {

return verifyChainEnabled;

}

public String getTruststoreType() {

return truststoreType;

}

public void setTruststoreType(String truststoreType) {

this.truststoreType = truststoreType;

}

public String getTruststorePassword() {

return truststorePassword;

}

public void setTruststorePassword(String truststorePassword) {

this.truststorePassword = truststorePassword;

}

public String getTruststorePath() {

return truststorePath;

}

public void setTruststorePath(String truststorePath) {

this.truststorePath = truststorePath;

}

public void setNotMatchingDomainCheckEnabled(boolean notMatchingDomainCheckEnabled) {

this.notMatchingDomainCheckEnabled = notMatchingDomainCheckEnabled;

}

然后增加一个用于存储keystore的javaBean

package com.ssl.rx.http;

public class KeyStoreOptions {

private final String type;

private final String path;

private final String password;

public KeyStoreOptions(String type, String path, String password) {

super();

this.type = type;

this.path = path;

this.password = password;

}

public String getType() {

return type;

}

public String getPath() {

return path;

}

public String getPassword() {

return password;

}

@Override

public int hashCode() {

final int prime = 31;

int result = 1;

result = prime * result + ((password == null) ? 0 : password.hashCode());

result = prime * result + ((path == null) ? 0 : path.hashCode());

result = prime * result + ((type == null) ? 0 : type.hashCode());

return result;

}

@Override

public boolean equals(Object obj) {

if (this == obj)

return true;

if (obj == null)

return false;

if (getClass() != obj.getClass())

return false;

KeyStoreOptions other = (KeyStoreOptions) obj;

if (password == null) {

if (other.password != null)

return false;

} else if (!password.equals(other.password))

return false;

if (path == null) {

if (other.path != null)

return false;

} else if (!path.equals(other.path))

return false;

if (type == null) {

if (other.type != null)

return false;

} else if (!type.equals(other.type))

return false;

return true;

}

最后，我们来实现核心部分，证书管理器

二.实现核心代码

package com.ssl.rx.http;


public class SSLX509CertificateManager {

	private static final Logger logger = Logger.getLogger("SSLX509CertificateManager");
	private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
	private static Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)");
	private static Map<KeyStoreOptions, KeyStore> stores = new HashMap<KeyStoreOptions, KeyStore>();

	private static String toHexString(byte[] bytes) {
		StringBuilder sb = new StringBuilder(bytes.length * 3);
		for (int b : bytes) {
			b &= 0xff;
			sb.append(HEXDIGITS[b >> 4]);
			sb.append(HEXDIGITS[b & 15]);
			sb.append(' ');
		}
		return sb.toString();
	}

	

	/**
	 * 开始握手等一系列密钥协商
	 * 
	 * @param socket
	 * @return
	 */
public static boolean startHandshake(SSLSocket socket) {
		try {
			logger.log(Level.INFO, "-开始握手，认证服务器证书-");
			socket.startHandshake();
			System.out.println();
			logger.log(Level.INFO, "-握手结束，结束认证服务器证书-");
		} catch (SSLException e) {
			e.printStackTrace();
			return false;
		} catch (IOException e) {
			e.printStackTrace();
			return false;
		}
		return true;
	}

	public static SSLSocket createTrustCASocket(String host, int port, ConnectionConfiguration config)
throws Exception {
		if (config == null) {
			config = new ConnectionConfiguration();
		}
		KeyStore ks = getKeyStore(config);
		SSLContext context = SSLContext.getInstance("TLS");
		TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
		tmf.init(ks);
		X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
		CAX509TrustManager tm = new CAX509TrustManager(defaultTrustManager, ks, config);

		context.init(null, new TrustManager[] { tm }, new SecureRandom());
		SSLSocketFactory factory = context.getSocketFactory();

		logger.log(Level.INFO, "开始连接： " + host + ":" + port + "...");
		SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
		socket.setSoTimeout(10000);

		config.setServer(host);
		config.setPort(port);
		// config.setTrustKeyStore(ks);
		X509Certificate certificate = (X509Certificate) ks.getCertificate(host + ":" + port);

		if (certificate != null && isValid(certificate)) {
			logger.log(Level.INFO, "-证书文件存在并且有效，无需进行握手-");
			return socket;
		}
		if (!startHandshake(socket)) {
			logger.log(Level.SEVERE, "-握手失败-");
			return null;
		}
		X509Certificate[] chain = tm.chain;
		if (chain == null || chain.length == 0) {
			logger.log(Level.SEVERE, "-证书链为空，认证失败-");
			return null;
		}

		if (config.isVerifyRootCAEnabled()) {
			boolean isValidRootCA = checkX509CertificateRootCA(ks, chain, config.isSelfSignedCertificateEnabled());
			if (!isValidRootCA) {
				return null;
			}
		}

		return socket;
	}

	/**
	 * 获取keystore，防治多次加载
	 * 
	 * @param config
	 * @return
	 * @throws KeyStoreException
	 * @throws IOException
	 * @throws NoSuchAlgorithmException
	 * @throws CertificateException
	 * @throws FileNotFoundException
	 */
private static KeyStore getKeyStore(ConnectionConfiguration config) throws KeyStoreException, IOException,
			NoSuchAlgorithmException, CertificateException, FileNotFoundException {
		KeyStore ks;
		synchronized (stores) {
			KeyStoreOptions options = new KeyStoreOptions(config.getTruststoreType(), config.getTruststorePath(),
					config.getTruststorePassword());
			if (stores.containsKey(options)) {
				logger.log(Level.INFO, "从缓存中获取trustKeystore");
				ks = stores.get(options);

			} else {
				File file = new File(config.getTruststorePath());
				char[] password = config.getTruststorePassword().toCharArray();

				logger.log(Level.INFO, "加载" + file + "证书文件");
				ks = KeyStore.getInstance(KeyStore.getDefaultType());
				if (!file.exists()) {
					logger.log(Level.INFO, "证书文件不存在，选择自动创建");
					ks.load(null, password);
				} else {
					logger.log(Level.INFO, "证书文件存在，开始加载");
					InputStream in = new FileInputStream(file);
					ks.load(in, password);
					in.close();
				}
				stores.put(options, ks);
			}

		}
		return ks;
	}

	public static SSLSocket createTrustCASocket(String host, int port) throws Exception {

		return createTrustCASocket(host, port, null);
	}

	public static SSLSocket createTrustCASocket(Socket s, ConnectionConfiguration config) throws Exception {
		if (config == null) {
			config = new ConnectionConfiguration();
		}

		KeyStore ks = getKeyStore(config);
		SSLContext context = SSLContext.getInstance("TLS");
		TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
		tmf.init(ks);
		X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
		CAX509TrustManager tm = new CAX509TrustManager(defaultTrustManager, ks, config);

		context.init(null, new TrustManager[] { tm }, new SecureRandom());
		SSLSocketFactory factory = context.getSocketFactory();

		String host = s.getInetAddress().getHostName();
		int port = s.getPort();
		logger.log(Level.INFO, "开始连接： " + host + ":" + port + "...");

		SSLSocket socket = (SSLSocket) factory.createSocket(s, host, port, true);
		socket.setSoTimeout(10000);

		config.setServer(s.getInetAddress().getHostName());
		config.setPort(s.getPort());

		X509Certificate certificate = (X509Certificate) ks.getCertificate(host + ":" + s.getPort());
		if (certificate != null && isValid(certificate)) {
			logger.log(Level.INFO, "-证书文件存在并且有效，无需进行握手-");
			return socket;
		}
		if (!startHandshake(socket)) {
			return null;
		}
		X509Certificate[] chain = tm.chain;
		if (chain == null || chain.length == 0) {
			logger.log(Level.SEVERE, "-证书链为空，认证失败-");
			return null;
		}
		if (config.isVerifyRootCAEnabled()) {
			boolean isValidRootCA = checkX509CertificateRootCA(ks, chain, config.isSelfSignedCertificateEnabled());
			if (!isValidRootCA) {
				logger.log(Level.SEVERE, "根证书校验无效");
				return null;
			}
		}
		return socket;

	}

	public static SSLSocket createTrustCASocket(Socket s) throws Exception {

		return createTrustCASocket(s, null);
	}

	public static class CAX509TrustManager implements X509TrustManager {

		private final X509TrustManager tm;
		private X509Certificate[] chain;
		private KeyStore keyStore;
		private ConnectionConfiguration config;
		public MessageDigest sha1 = null;
		public MessageDigest md5 = null;

		public CAX509TrustManager(X509TrustManager tm, KeyStore ks, ConnectionConfiguration config)
throws NoSuchAlgorithmException {
			this.tm = tm;
			this.keyStore = ks;
			sha1 = MessageDigest.getInstance("SHA1");
			md5 = MessageDigest.getInstance("MD5");
			this.config = config;
		}

		public X509Certificate[] getAcceptedIssuers() {
			return tm.getAcceptedIssuers(); // 生成证书数组，用于存储新证书
		}

		public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
			tm.checkClientTrusted(chain, authType); // 检查客户端
		}

		public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
			if (this.chain == null) {
				this.chain = getAcceptedIssuers();
			}
			if (chain != null && chain.length > 0) {
				if (!checkX509CertificateValid(chain, config)) {
					logger.log(Level.SEVERE, "证书校验未通过");
					return;
				}
				for (int i = 0; i < chain.length; i++) {
					X509Certificate certificate = chain[i];
					if (i == 0) {
						saveCAToKeyStore(certificate, config.getServer() + ":" + config.getPort());
					} else {
						saveCAToKeyStore(certificate, null);
					}
				}
			}
		}

		public void saveCAToKeyStore(X509Certificate certificate, String aliasKey) throws CertificateEncodingException {
			try {
				X509Certificate cert = certificate;
				System.out.println(" Subject " + cert.getSubjectDN());
				System.out.println("  Issuer  " + cert.getIssuerDN());
				sha1.update(cert.getEncoded());
				System.out.println("  sha1    " + toHexString(sha1.digest()));
				md5.update(cert.getEncoded());
				System.out.println("  md5     " + toHexString(md5.digest()));

				String alias = keyStore.getCertificateAlias(cert);
				if (alias == null || alias != null && !isValid(certificate)) {
					if (aliasKey == null || aliasKey.length() == 0) {
						alias = cert.getSubjectDN().getName();
					} else {
						alias = aliasKey;
						logger.log(Level.INFO, "设定指定证书别名:" + alias);
					}
					keyStore.setCertificateEntry(alias, certificate);
					OutputStream out = new FileOutputStream(config.getTruststorePath());
					keyStore.store(out, config.getTruststorePassword().toCharArray());
					out.close();
					chain = Arrays.copyOf(chain, chain.length + 1);
					chain[chain.length - 1] = certificate;
					logger.fine(certificate.toString());
				}

			} catch (KeyStoreException e) {
				e.printStackTrace();
			} catch (FileNotFoundException e) {
				e.printStackTrace();
			} catch (NoSuchAlgorithmException e) {
				e.printStackTrace();
			} catch (CertificateException e) {
				e.printStackTrace();
			} catch (IOException e) {
				e.printStackTrace();
			}
		}

	}

	public static boolean isValid(X509Certificate cert) {
		if (cert == null) {
			return false;
		}
		try {
			cert.checkValidity();
		} catch (CertificateExpiredException e) {
			e.printStackTrace();
			return false;
		} catch (CertificateNotYetValidException e) {
			e.printStackTrace();
			return false;
		}
		return true;
	}

	/**
	 * 校验证书的有效性
	 * 
	 * @param chain
	 * @param config
	 * @return
	 */
private static boolean checkX509CertificateValid(X509Certificate[] chain, ConnectionConfiguration config) {
		boolean result = true;
		if (config.isExpiredCertificatesCheckEnabled()) {
			result = result && checkX509CertificateExpired(chain);
		}

		if (config.isVerifyChainEnabled()) {
			result = result && checkX509CertificateChain(chain);
		}

		if (config.isNotMatchingDomainCheckEnabled()) {
			result = result && checkIsMatchDomain(chain, config.getServer());
		}

		return result;

	}

	/**
	 * 检查是否匹配域名
	 * 
	 * @param x509Certificates
	 * @param server
	 * @return
	 */
public static boolean checkIsMatchDomain(X509Certificate[] x509Certificates, String server) {
		server = server.toLowerCase();
		List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);
		if (peerIdentities.size() == 1 && peerIdentities.get(0).startsWith("*.")) {
			String peerIdentity = peerIdentities.get(0).replace("*.", "");
			if (!server.endsWith(peerIdentity)) {
				return false;
			}
		} else {
			for (int i = 0; i < peerIdentities.size(); i++) {
				String peerIdentity = peerIdentities.get(i).replace("*.", "");
				if (server.endsWith(peerIdentity)) {
					return true;
				}
			}
		}
		return false;
	}

	/**
	 * 校验根证书
	 * 
	 * @param trustStore
	 * @param x509Certificates
	 * @param isSelfSignedCertificate
	 *            是否自签名证书
	 * @return
	 */
public static boolean checkX509CertificateRootCA(KeyStore trustStore, X509Certificate[] x509Certificates,
			boolean isSelfSignedCertificate) {
		List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);
		boolean trusted = false;
		try {
			int size = x509Certificates.length;
			trusted = trustStore.getCertificateAlias(x509Certificates[size - 1]) != null;
			if (!trusted && size == 1 && isSelfSignedCertificate) {
				logger.log(Level.WARNING, "-强制认可自签名证书-");
				trusted = true;
			}
		} catch (KeyStoreException e) {
			e.printStackTrace();
		}
		if (!trusted) {
			logger.log(Level.SEVERE, "-根证书签名的网站：" + peerIdentities + "不能被信任");
		}

		return trusted;
	}

	/**
	 * 检查证书是否过期
	 * 
	 * @param x509Certificates
	 * @return
	 */
public static boolean checkX509CertificateExpired(X509Certificate[] x509Certificates) {
		Date date = new Date();
		for (int i = 0; i < x509Certificates.length; i++) {
			try {
				x509Certificates[i].checkValidity(date);
			} catch (GeneralSecurityException generalsecurityexception) {
				logger.log(Level.SEVERE, "-证书已经过期-");
				return false;
			}
		}
		return true;
	}

	/**
	 * 校验证书链的完整性
	 * 
	 * @param x509Certificates
	 * @return
	 */
public static boolean checkX509CertificateChain(X509Certificate[] x509Certificates) {
		Principal principalLast = null;
		List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);

		for (int i = x509Certificates.length - 1; i >= 0; i--) {
			X509Certificate x509certificate = x509Certificates[i];
			Principal principalIssuer = x509certificate.getIssuerDN();
			Principal principalSubject = x509certificate.getSubjectDN();
			if (principalLast != null) {
				if (principalIssuer.equals(principalLast)) {
					try {
						PublicKey publickey = x509Certificates[i + 1].getPublicKey();
						x509Certificates[i].verify(publickey);
					} catch (GeneralSecurityException generalsecurityexception) {

						logger.log(Level.SEVERE, "-无效的证书签名-" + peerIdentities);
						return false;
					}
				} else {
					logger.log(Level.SEVERE, "-无效的证书签名-" + peerIdentities);
					return false;
				}
			}
			principalLast = principalSubject;
		}

		return true;
	}

	/**
	 * 返回所有可用的签名方式 键值对 如CN=VeriSignMPKI-2-6
	 * 
	 * @param certificate
	 * @return
	 */
private static List<String> getSubjectAlternativeNames(X509Certificate certificate) {
		List<String> identities = new ArrayList<String>();
		try {
			Collection<List<?>> altNames = certificate.getSubjectAlternativeNames();
			if (altNames == null) {
				return Collections.emptyList();
			}

			Iterator<List<?>> iterator = altNames.iterator();
			do {
				if (!iterator.hasNext())
					break;
				List<?> altName = iterator.next();
				int size = altName.size();
				if (size >= 2) {
					identities.add((String) altName.get(1));
				}

			} while (true);
		} catch (CertificateParsingException e) {
			e.printStackTrace();
		}
		return identities;
	}

	/**
	 * 返回所有可用的签名方式的值
	 * 
	 * @param certificate
	 * @return
	 */
public static List<String> getPeerIdentity(X509Certificate x509Certificate) {
		List<String> names = getSubjectAlternativeNames(x509Certificate);
		if (names.isEmpty()) {
			String name = x509Certificate.getSubjectDN().getName();
			Matcher matcher = cnPattern.matcher(name);
			if (matcher.find()) {
				name = matcher.group(2);
			}
			names = new ArrayList<String>();
			names.add(name);
		}
		return names;
	}
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

package com.ssl.rx.http;

public class SSLX509CertificateManager {

private static final Logger logger = Logger.getLogger("SSLX509CertificateManager");

private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

private static Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)");

private static Map<KeyStoreOptions, KeyStore> stores = new HashMap<KeyStoreOptions, KeyStore>();

private static String toHexString(byte[] bytes) {

StringBuilder sb = new StringBuilder(bytes.length * 3);

for (int b : bytes) {

b &= 0xff;

sb.append(HEXDIGITS[b >> 4]);

sb.append(HEXDIGITS[b & 15]);

sb.append(' ');

}

return sb.toString();

}

/**

* 开始握手等一系列密钥协商

* @param socket

* @return

public static boolean startHandshake(SSLSocket socket) {

try {

logger.log(Level.INFO, "-开始握手，认证服务器证书-");

socket.startHandshake();

System.out.println();

logger.log(Level.INFO, "-握手结束，结束认证服务器证书-");

} catch (SSLException e) {

e.printStackTrace();

return false;

} catch (IOException e) {

e.printStackTrace();

return false;

}

return true;

}

public static SSLSocket createTrustCASocket(String host, int port, ConnectionConfiguration config)

throws Exception {

if (config == null) {

config = new ConnectionConfiguration();

}

KeyStore ks = getKeyStore(config);

SSLContext context = SSLContext.getInstance("TLS");

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(ks);

X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];

CAX509TrustManager tm = new CAX509TrustManager(defaultTrustManager, ks, config);

context.init(null, new TrustManager[] { tm }, new SecureRandom());

SSLSocketFactory factory = context.getSocketFactory();

logger.log(Level.INFO, "开始连接： " + host + ":" + port + "...");

SSLSocket socket = (SSLSocket) factory.createSocket(host, port);

socket.setSoTimeout(10000);

config.setServer(host);

config.setPort(port);

// config.setTrustKeyStore(ks);

X509Certificate certificate = (X509Certificate) ks.getCertificate(host + ":" + port);

if (certificate != null && isValid(certificate)) {

logger.log(Level.INFO, "-证书文件存在并且有效，无需进行握手-");

return socket;

}

if (!startHandshake(socket)) {

logger.log(Level.SEVERE, "-握手失败-");

return null;

}

X509Certificate[] chain = tm.chain;

if (chain == null || chain.length == 0) {

logger.log(Level.SEVERE, "-证书链为空，认证失败-");

return null;

}

if (config.isVerifyRootCAEnabled()) {

boolean isValidRootCA = checkX509CertificateRootCA(ks, chain, config.isSelfSignedCertificateEnabled());

if (!isValidRootCA) {

return null;

}

return socket;

}

/**

* 获取keystore，防治多次加载

* @param config

* @return

* @throws KeyStoreException

* @throws IOException

* @throws NoSuchAlgorithmException

* @throws CertificateException

* @throws FileNotFoundException

private static KeyStore getKeyStore(ConnectionConfiguration config) throws KeyStoreException, IOException,

NoSuchAlgorithmException, CertificateException, FileNotFoundException {

KeyStore ks;

synchronized (stores) {

KeyStoreOptions options = new KeyStoreOptions(config.getTruststoreType(), config.getTruststorePath(),

config.getTruststorePassword());

if (stores.containsKey(options)) {

logger.log(Level.INFO, "从缓存中获取trustKeystore");

ks = stores.get(options);

} else {

File file = new File(config.getTruststorePath());

char[] password = config.getTruststorePassword().toCharArray();

logger.log(Level.INFO, "加载" + file + "证书文件");

ks = KeyStore.getInstance(KeyStore.getDefaultType());

if (!file.exists()) {

logger.log(Level.INFO, "证书文件不存在，选择自动创建");

ks.load(null, password);

} else {

logger.log(Level.INFO, "证书文件存在，开始加载");

InputStream in = new FileInputStream(file);

ks.load(in, password);

in.close();

}

stores.put(options, ks);

}

return ks;

}

public static SSLSocket createTrustCASocket(String host, int port) throws Exception {

return createTrustCASocket(host, port, null);

}

public static SSLSocket createTrustCASocket(Socket s, ConnectionConfiguration config) throws Exception {

if (config == null) {

config = new ConnectionConfiguration();

}

KeyStore ks = getKeyStore(config);

SSLContext context = SSLContext.getInstance("TLS");

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(ks);

X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];

CAX509TrustManager tm = new CAX509TrustManager(defaultTrustManager, ks, config);

context.init(null, new TrustManager[] { tm }, new SecureRandom());

SSLSocketFactory factory = context.getSocketFactory();

String host = s.getInetAddress().getHostName();

int port = s.getPort();

logger.log(Level.INFO, "开始连接： " + host + ":" + port + "...");

SSLSocket socket = (SSLSocket) factory.createSocket(s, host, port, true);

socket.setSoTimeout(10000);

config.setServer(s.getInetAddress().getHostName());

config.setPort(s.getPort());

X509Certificate certificate = (X509Certificate) ks.getCertificate(host + ":" + s.getPort());

if (certificate != null && isValid(certificate)) {

logger.log(Level.INFO, "-证书文件存在并且有效，无需进行握手-");

return socket;

}

if (!startHandshake(socket)) {

return null;

}

X509Certificate[] chain = tm.chain;

if (chain == null || chain.length == 0) {

logger.log(Level.SEVERE, "-证书链为空，认证失败-");

return null;

}

if (config.isVerifyRootCAEnabled()) {

boolean isValidRootCA = checkX509CertificateRootCA(ks, chain, config.isSelfSignedCertificateEnabled());

if (!isValidRootCA) {

logger.log(Level.SEVERE, "根证书校验无效");

return null;

}

return socket;

}

public static SSLSocket createTrustCASocket(Socket s) throws Exception {

return createTrustCASocket(s, null);

}

public static class CAX509TrustManager implements X509TrustManager {

private final X509TrustManager tm;

private X509Certificate[] chain;

private KeyStore keyStore;

private ConnectionConfiguration config;

public MessageDigest sha1 = null;

public MessageDigest md5 = null;

public CAX509TrustManager(X509TrustManager tm, KeyStore ks, ConnectionConfiguration config)

throws NoSuchAlgorithmException {

this.tm = tm;

this.keyStore = ks;

sha1 = MessageDigest.getInstance("SHA1");

md5 = MessageDigest.getInstance("MD5");

this.config = config;

}

public X509Certificate[] getAcceptedIssuers() {

return tm.getAcceptedIssuers(); // 生成证书数组，用于存储新证书

}

public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {

tm.checkClientTrusted(chain, authType); // 检查客户端

}

public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {

if (this.chain == null) {

this.chain = getAcceptedIssuers();

}

if (chain != null && chain.length > 0) {

if (!checkX509CertificateValid(chain, config)) {

logger.log(Level.SEVERE, "证书校验未通过");

return;

}

for (int i = 0; i < chain.length; i++) {

X509Certificate certificate = chain[i];

if (i == 0) {

saveCAToKeyStore(certificate, config.getServer() + ":" + config.getPort());

} else {

saveCAToKeyStore(certificate, null);

}

public void saveCAToKeyStore(X509Certificate certificate, String aliasKey) throws CertificateEncodingException {

try {

X509Certificate cert = certificate;

System.out.println(" Subject " + cert.getSubjectDN());

System.out.println(" Issuer " + cert.getIssuerDN());

sha1.update(cert.getEncoded());

System.out.println(" sha1 " + toHexString(sha1.digest()));

md5.update(cert.getEncoded());

System.out.println(" md5 " + toHexString(md5.digest()));

String alias = keyStore.getCertificateAlias(cert);

if (alias == null || alias != null && !isValid(certificate)) {

if (aliasKey == null || aliasKey.length() == 0) {

alias = cert.getSubjectDN().getName();

} else {

alias = aliasKey;

logger.log(Level.INFO, "设定指定证书别名:" + alias);

}

keyStore.setCertificateEntry(alias, certificate);

OutputStream out = new FileOutputStream(config.getTruststorePath());

keyStore.store(out, config.getTruststorePassword().toCharArray());

out.close();

chain = Arrays.copyOf(chain, chain.length + 1);

chain[chain.length - 1] = certificate;

logger.fine(certificate.toString());

}

} catch (KeyStoreException e) {

e.printStackTrace();

} catch (FileNotFoundException e) {

e.printStackTrace();

} catch (NoSuchAlgorithmException e) {

e.printStackTrace();

} catch (CertificateException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

}

public static boolean isValid(X509Certificate cert) {

if (cert == null) {

return false;

}

try {

cert.checkValidity();

} catch (CertificateExpiredException e) {

e.printStackTrace();

return false;

} catch (CertificateNotYetValidException e) {

e.printStackTrace();

return false;

}

return true;

}

/**

* 校验证书的有效性

* @param chain

* @param config

* @return

private static boolean checkX509CertificateValid(X509Certificate[] chain, ConnectionConfiguration config) {

boolean result = true;

if (config.isExpiredCertificatesCheckEnabled()) {

result = result && checkX509CertificateExpired(chain);

}

if (config.isVerifyChainEnabled()) {

result = result && checkX509CertificateChain(chain);

}

if (config.isNotMatchingDomainCheckEnabled()) {

result = result && checkIsMatchDomain(chain, config.getServer());

}

return result;

}

/**

* 检查是否匹配域名

* @param x509Certificates

* @param server

* @return

public static boolean checkIsMatchDomain(X509Certificate[] x509Certificates, String server) {

server = server.toLowerCase();

List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);

if (peerIdentities.size() == 1 && peerIdentities.get(0).startsWith("*.")) {

String peerIdentity = peerIdentities.get(0).replace("*.", "");

if (!server.endsWith(peerIdentity)) {

return false;

}

} else {

for (int i = 0; i < peerIdentities.size(); i++) {

String peerIdentity = peerIdentities.get(i).replace("*.", "");

if (server.endsWith(peerIdentity)) {

return true;

}

return false;

}

/**

* 校验根证书

* @param trustStore

* @param x509Certificates

* @param isSelfSignedCertificate

* 是否自签名证书

* @return

public static boolean checkX509CertificateRootCA(KeyStore trustStore, X509Certificate[] x509Certificates,

boolean isSelfSignedCertificate) {

List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);

boolean trusted = false;

try {

int size = x509Certificates.length;

trusted = trustStore.getCertificateAlias(x509Certificates[size - 1]) != null;

if (!trusted && size == 1 && isSelfSignedCertificate) {

logger.log(Level.WARNING, "-强制认可自签名证书-");

trusted = true;

}

} catch (KeyStoreException e) {

e.printStackTrace();

}

if (!trusted) {

logger.log(Level.SEVERE, "-根证书签名的网站：" + peerIdentities + "不能被信任");

}

return trusted;

}

/**

* 检查证书是否过期

* @param x509Certificates

* @return

public static boolean checkX509CertificateExpired(X509Certificate[] x509Certificates) {

Date date = new Date();

for (int i = 0; i < x509Certificates.length; i++) {

try {

x509Certificates[i].checkValidity(date);

} catch (GeneralSecurityException generalsecurityexception) {

logger.log(Level.SEVERE, "-证书已经过期-");

return false;

}

return true;

}

/**

* 校验证书链的完整性

* @param x509Certificates

* @return

public static boolean checkX509CertificateChain(X509Certificate[] x509Certificates) {

Principal principalLast = null;

List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);

for (int i = x509Certificates.length - 1; i >= 0; i--) {

X509Certificate x509certificate = x509Certificates[i];

Principal principalIssuer = x509certificate.getIssuerDN();

Principal principalSubject = x509certificate.getSubjectDN();

if (principalLast != null) {

if (principalIssuer.equals(principalLast)) {

try {

PublicKey publickey = x509Certificates[i + 1].getPublicKey();

x509Certificates[i].verify(publickey);

} catch (GeneralSecurityException generalsecurityexception) {

logger.log(Level.SEVERE, "-无效的证书签名-" + peerIdentities);

return false;

}

} else {

logger.log(Level.SEVERE, "-无效的证书签名-" + peerIdentities);

return false;

}

principalLast = principalSubject;

}

return true;

}

/**

* 返回所有可用的签名方式键值对如CN=VeriSignMPKI-2-6

* @param certificate

* @return

private static List<String> getSubjectAlternativeNames(X509Certificate certificate) {

List<String> identities = new ArrayList<String>();

try {

Collection<List<?>> altNames = certificate.getSubjectAlternativeNames();

if (altNames == null) {

return Collections.emptyList();

}

Iterator<List<?>> iterator = altNames.iterator();

do {

if (!iterator.hasNext())

break;

List<?> altName = iterator.next();

int size = altName.size();

if (size >= 2) {

identities.add((String) altName.get(1));

}

} while (true);

} catch (CertificateParsingException e) {

e.printStackTrace();

}

return identities;

}

/**

* 返回所有可用的签名方式的值

* @param certificate

* @return

public static List<String> getPeerIdentity(X509Certificate x509Certificate) {

List<String> names = getSubjectAlternativeNames(x509Certificate);

if (names.isEmpty()) {

String name = x509Certificate.getSubjectDN().getName();

Matcher matcher = cnPattern.matcher(name);

if (matcher.find()) {

name = matcher.group(2);

}

names = new ArrayList<String>();

names.add(name);

}

return names;

}

三.测试代码

public class TestX509CertManager {

 public static void main(String[] args) {
		try {
			SSLSocket baiduSocket = SSLX509CertificateManager.createTrustCASocket("www.baidu.com", 443);
			SSLSocket taobaoSocket = SSLX509CertificateManager.createTrustCASocket("www.taobao.com", 443);
			SSLSocket imququSocket = SSLX509CertificateManager.createTrustCASocket("imququ.com", 443);
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}

public class TestX509CertManager {

public static void main(String[] args) {

try {

SSLSocket baiduSocket = SSLX509CertificateManager.createTrustCASocket("www.baidu.com", 443);

SSLSocket taobaoSocket = SSLX509CertificateManager.createTrustCASocket("www.taobao.com", 443);

SSLSocket imququSocket = SSLX509CertificateManager.createTrustCASocket("imququ.com", 443);

} catch (Exception e) {

e.printStackTrace();

}

四.附加测试代码

我们这里附加一个工具类，专门来实现Server-Side与Client-Side的SSLSocket 连接，也可以用于测试我们的上述代码，只不过需要稍加改造。

package com.tianwt.rx.http;

public class SSLTrustManager implements javax.net.ssl.TrustManager,
            javax.net.ssl.X509TrustManager ,HostnameVerifier {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[]{};
        }
  
        public boolean isServerTrusted(
                java.security.cert.X509Certificate[] certs) {
            return true;
        }
  
        public boolean isClientTrusted(
                java.security.cert.X509Certificate[] certs) {
            return true;
        }
  
        public void checkServerTrusted(
                java.security.cert.X509Certificate[] certs, String authType)
                throws java.security.cert.CertificateException {
            return;
        }
  
        public void checkClientTrusted(
                java.security.cert.X509Certificate[] certs, String authType)
                throws java.security.cert.CertificateException {
            return;
        }
         
            @Override
        public boolean verify(String urlHostName, SSLSession session) { //允许所有主机
            return true;
        }
        
   /**
    * 客户端使用
    */
   public static HttpURLConnection connectTrustAllServer(String strUrl) throws Exception {
         
        return connectTrustAllServer(strUrl,null);
    }
   /**
    * 客户端使用
    * 
    * @param strUrl 要访问的地址
    * @param proxy 需要经过的代理
    * @return
    * @throws Exception
    */
   public static HttpURLConnection connectTrustAllServer(String strUrl,Proxy proxy) throws Exception {
         
         javax.net.ssl.TrustManager[] trustCertsmanager = new javax.net.ssl.TrustManager[1];
         javax.net.ssl.TrustManager tm = new SSLTrustManager();
         trustCertsmanager[0] = tm;
         javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext
                 .getInstance("TLS");
         sc.init(null, trustCertsmanager, null);
         javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc
                 .getSocketFactory());
          
         HttpsURLConnection.setDefaultHostnameVerifier((HostnameVerifier) tm);
          
        URL url = new URL(strUrl);
        HttpURLConnection urlConn = null;
        if(proxy==null)
        {
        	 urlConn = (HttpURLConnection) url.openConnection();
        }else{
        	 urlConn = (HttpURLConnection) url.openConnection(proxy);
        }
        urlConn.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");
        return urlConn;
    }

   /**
    * 用于双向认证,客户端使用
    * 
    * @param strUrl
    * @param proxy
    * @return
    * @throws KeyStoreException
    * @throws NoSuchAlgorithmException
    * @throws CertificateException
    * @throws FileNotFoundException
    * @throws IOException
    * @throws UnrecoverableKeyException
    * @throws KeyManagementException
    */
   public static HttpURLConnection connectProxyTrustCA(String strUrl,Proxy proxy) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException
   {
	   HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
			
			@Override
public boolean verify(String s, SSLSession sslsession) {
				
				return true;
			}
		});
	   String clientKeyStoreFile = "D:/JDK8Home/tianwt/sslClientKeys";  
       String clientKeyStorePwd = "123456";  
       String catServerKeyPwd = "123456";  
       
       String serverTrustKeyStoreFile = "D:/JDK8Home/tianwt/sslClientTrust";  
       String serverTrustKeyStorePwd = "123456";  
       KeyStore serverKeyStore = KeyStore.getInstance("JKS");  
       serverKeyStore.load(new FileInputStream(clientKeyStoreFile), clientKeyStorePwd.toCharArray());  
 
       KeyStore serverTrustKeyStore = KeyStore.getInstance("JKS");  
       serverTrustKeyStore.load(new FileInputStream(serverTrustKeyStoreFile), serverTrustKeyStorePwd.toCharArray());  
 
       KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());  
       kmf.init(serverKeyStore, catServerKeyPwd.toCharArray());  
 
       TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());  
       tmf.init(serverTrustKeyStore);  
 
       SSLContext sslContext = SSLContext.getInstance("TLS");  
       sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());  
        
       HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
		
	   URL url = new URL(strUrl);
	   HttpURLConnection httpURLConnection = null;
	   if(proxy==null)
	   {
		   httpURLConnection = (HttpURLConnection) url.openConnection();
	   }else{
		   httpURLConnection = (HttpURLConnection) url.openConnection(proxy);
	   }
	   httpURLConnection.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");
	   return httpURLConnection;

   }
   /**
    * 用于单向认证，客户端使用
    * 
    * server侧只需要自己的keystore文件，不需要truststore文件
	* client侧不需要自己的keystore文件，只需要truststore文件（其中包含server的公钥）。
    * 此外server侧需要在创建SSLServerSocket之后设定不需要客户端证书：setNeedClientAuth(false)
    * @param strUrl
    * @param proxy
    * @return
    * @throws KeyStoreException
    * @throws NoSuchAlgorithmException
    * @throws CertificateException
    * @throws FileNotFoundException
    * @throws IOException
    * @throws UnrecoverableKeyException
    * @throws KeyManagementException
    */
   public static HttpURLConnection connectProxyTrustCA2(String strUrl,Proxy proxy) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException
   {
	   HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
			
			@Override
public boolean verify(String s, SSLSession sslsession) {
				
				return true;
			}
		});
       
       String serverTrustKeyStoreFile = "D:/JDK8Home/tianwt/sslClientTrust";  
       String serverTrustKeyStorePwd = "123456";  
 
       KeyStore serverTrustKeyStore = KeyStore.getInstance("JKS");  
       serverTrustKeyStore.load(new FileInputStream(serverTrustKeyStoreFile), serverTrustKeyStorePwd.toCharArray());  
 
       TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());  
       tmf.init(serverTrustKeyStore);  
 
       SSLContext sslContext = SSLContext.getInstance("TLS");  
       sslContext.init(null, tmf.getTrustManagers(), null);  
        
       HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
		
	   URL url = new URL(strUrl);
	   HttpURLConnection httpURLConnection = null;
	   if(proxy==null)
	   {
		   httpURLConnection = (HttpURLConnection) url.openConnection();
	   }else{
		   httpURLConnection = (HttpURLConnection) url.openConnection(proxy);
	   }
	   httpURLConnection.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");
	   return httpURLConnection;

   }
   /**
    * 用于双向认证
    * @param socketClient 是否产生socket
    * @return
    * @throws KeyStoreException
    * @throws NoSuchAlgorithmException
    * @throws CertificateException
    * @throws FileNotFoundException
    * @throws IOException
    * @throws UnrecoverableKeyException
    * @throws KeyManagementException
    */
   public SSLSocket createTlsConnect(Socket socketClient) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException
	{
		
		    String protocol = "TLS";  
	        String serverKey = "D:/JDK8Home/tianwt/sslServerKeys";  
	        String serverTrust = "D:/JDK8Home/tianwt/sslServerTrust";  
	        String serverKeyPwd = "123456";  //私钥密码
	        String serverTrustPwd = "123456";  //信任证书密码
	        String serverKeyStorePwd = "123456";  // keystore存储密码
	          
	        KeyStore keyStore = KeyStore.getInstance("JKS");    
	        keyStore.load(new FileInputStream(serverKey),serverKeyPwd.toCharArray());  
	        
	        KeyStore tks = KeyStore.getInstance("JKS");
	        tks.load(new FileInputStream(serverTrust), serverTrustPwd.toCharArray());
	        
	        KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());   
	        km.init(keyStore, serverKeyStorePwd.toCharArray());
	        
	        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());  
	        tmf.init(tks);
	        
	        SSLContext sslContext = SSLContext.getInstance(protocol); 
	        sslContext.init(km.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());  //第一项是用来做服务器验证的
	        
	        SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
	        SSLSocket clientSSLSocket = (SSLSocket) sslSocketFactory.createSocket(socketClient,socketClient.getInetAddress().getHostAddress(),socketClient.getPort(), true);
	        clientSSLSocket.setNeedClientAuth(false);
	        clientSSLSocket.setUseClientMode(false);
	        
	        return clientSSLSocket;
	}
   /**
    * 用于单向认证
    * server侧只需要自己的keystore文件，不需要truststore文件
	* client侧不需要自己的keystore文件，只需要truststore文件（其中包含server的公钥）。
    * 此外server侧需要在创建SSLServerSocket之后设定不需要客户端证书：setNeedClientAuth(false)
    * @param socketClient
    * @return
    * @throws KeyStoreException
    * @throws NoSuchAlgorithmException
    * @throws CertificateException
    * @throws FileNotFoundException
    * @throws IOException
    * @throws UnrecoverableKeyException
    * @throws KeyManagementException
    */
   public static SSLSocket createTlsConnect2(Socket socketClient) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException
  	{
  		
  		    String protocol = "TLS";  
  	        String serverKey = "D:/JDK8Home/tianwt/sslServerKeys";  
  	        String serverKeyPwd = "123456";  //私钥密码
  	        String serverKeyStorePwd = "123456";  // keystore存储密码
  	          
  	        KeyStore keyStore = KeyStore.getInstance("JKS");    
  	        keyStore.load(new FileInputStream(serverKey),serverKeyPwd.toCharArray());  
  	        
  	        KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());   
  	        km.init(keyStore, serverKeyStorePwd.toCharArray());
  	        
  	        SSLContext sslContext = SSLContext.getInstance(protocol); 
  	        sslContext.init(km.getKeyManagers(), null, new SecureRandom());  //第一项是用来做服务器验证的
  	        
  	        SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
  	        SSLSocket clientSSLSocket = (SSLSocket) sslSocketFactory.createSocket(socketClient,socketClient.getInetAddress().getHostAddress(),socketClient.getPort(), true);
  	        clientSSLSocket.setNeedClientAuth(false);
  	        clientSSLSocket.setUseClientMode(false);
  	        
  	        return clientSSLSocket;
  	}
   
   /**
    * 将普通的socket转为sslsocket，客户端和服务端均可使用
    * 
    * 服务端使用的时候是把普通的socket转为sslsocket,并且作为服务器套接字（注意：指的不是ServerSocket,当然ServerSocket的本质也是普通socket）
    * 
    * @param remoteHost
    * @param isClient
    * @return
    */
public static SSLSocket getTlsTrustAllSocket(Socket remoteHost,boolean isClient)
{
		SSLSocket remoteSSLSocket = null;
		SSLContext context = SSLTrustManager.getTrustAllSSLContext(isClient);
		try {
			remoteSSLSocket =  (SSLSocket) context.getSocketFactory().createSocket(remoteHost, remoteHost.getInetAddress().getHostName(),remoteHost.getPort(), true);
			remoteSSLSocket.setTcpNoDelay(true);
			remoteSSLSocket.setSoTimeout(5000);
			remoteSSLSocket.setNeedClientAuth(false); //这里设置为true时会强制握手
			remoteSSLSocket.setUseClientMode(isClient); //注意服务器和客户的角色选择 
			 
		} catch (IOException e) {
			e.printStackTrace();
		}
		return remoteSSLSocket;
	}
	/**
	 * 用于客户端，通过所有证书验证
	 * @param isClient 是否生成客户端SSLContext，否则生成服务端SSLContext
	 * @return
	 */
   public static SSLContext getTrustAllSSLContext(boolean isClient)
   {
	   String protocol = "TLS"; 
	   javax.net.ssl.SSLContext sc = null;
	   try {
		javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
		   javax.net.ssl.TrustManager tm = new SSLTrustManager();
		   trustAllCerts[0] = tm;
		    sc = javax.net.ssl.SSLContext
		           .getInstance(protocol);
		   
		    if(isClient)
		    {
		    	sc.init(null, trustAllCerts, null); //作为客户端使用
		    }
		    else
		    {
	  	        String serverKeyPath = "D:/JDK8Home/tianwt/sslServerKeys";  
	  	        String serverKeyPwd = "123456";  //私钥密码
	  	        String serverKeyStorePwd = "123456";  // keystore存储密码
	  	        
	  	        KeyStore keyStore = KeyStore.getInstance("JKS");    
	  	        keyStore.load(new FileInputStream(serverKeyPath),serverKeyPwd.toCharArray());  
	  	        
		    	KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());   
		  	    km.init(keyStore, serverKeyStorePwd.toCharArray());
		  	    KeyManager[] keyManagers = km.getKeyManagers();
		  	    keyManagers = Arrays.copyOf(keyManagers, keyManagers.length+1);
	  	        sc.init(keyManagers, null, new SecureRandom());
		    }
	} catch (KeyManagementException e) {
		e.printStackTrace();
	} catch (NoSuchAlgorithmException e) {
		e.printStackTrace();
	} catch (UnrecoverableKeyException e) {
		e.printStackTrace();
	} catch (KeyStoreException e) {
		e.printStackTrace();
	} catch (CertificateException e) {
		e.printStackTrace();
	} catch (FileNotFoundException e) {
		e.printStackTrace();
	} catch (IOException e) {
		e.printStackTrace();
	}
	   return sc;
   }
 }

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

package com.tianwt.rx.http;

public class SSLTrustManager implements javax.net.ssl.TrustManager,

javax.net.ssl.X509TrustManager ,HostnameVerifier {

public java.security.cert.X509Certificate[] getAcceptedIssuers() {

return new X509Certificate[]{};

}

public boolean isServerTrusted(

java.security.cert.X509Certificate[] certs) {

return true;

}

public boolean isClientTrusted(

java.security.cert.X509Certificate[] certs) {

return true;

}

public void checkServerTrusted(

java.security.cert.X509Certificate[] certs, String authType)

throws java.security.cert.CertificateException {

return;

}

public void checkClientTrusted(

java.security.cert.X509Certificate[] certs, String authType)

throws java.security.cert.CertificateException {

return;

}

@Override

public boolean verify(String urlHostName, SSLSession session) { //允许所有主机

return true;

}

/**

* 客户端使用

public static HttpURLConnection connectTrustAllServer(String strUrl) throws Exception {

return connectTrustAllServer(strUrl,null);

}

/**

* 客户端使用

* @param strUrl 要访问的地址

* @param proxy 需要经过的代理

* @return

* @throws Exception

public static HttpURLConnection connectTrustAllServer(String strUrl,Proxy proxy) throws Exception {

javax.net.ssl.TrustManager[] trustCertsmanager = new javax.net.ssl.TrustManager[1];

javax.net.ssl.TrustManager tm = new SSLTrustManager();

trustCertsmanager[0] = tm;

javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext

.getInstance("TLS");

sc.init(null, trustCertsmanager, null);

javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc

.getSocketFactory());

HttpsURLConnection.setDefaultHostnameVerifier((HostnameVerifier) tm);

URL url = new URL(strUrl);

HttpURLConnection urlConn = null;

if(proxy==null)

{

urlConn = (HttpURLConnection) url.openConnection();

}else{

urlConn = (HttpURLConnection) url.openConnection(proxy);

}

urlConn.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");

return urlConn;

}

/**

* 用于双向认证,客户端使用

* @param strUrl

* @param proxy

* @return

* @throws KeyStoreException

* @throws NoSuchAlgorithmException

* @throws CertificateException

* @throws FileNotFoundException

* @throws IOException

* @throws UnrecoverableKeyException

* @throws KeyManagementException

public static HttpURLConnection connectProxyTrustCA(String strUrl,Proxy proxy) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException

{

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {

@Override

public boolean verify(String s, SSLSession sslsession) {

return true;

}

});

String clientKeyStoreFile = "D:/JDK8Home/tianwt/sslClientKeys";

String clientKeyStorePwd = "123456";

String catServerKeyPwd = "123456";

String serverTrustKeyStoreFile = "D:/JDK8Home/tianwt/sslClientTrust";

String serverTrustKeyStorePwd = "123456";

KeyStore serverKeyStore = KeyStore.getInstance("JKS");

serverKeyStore.load(new FileInputStream(clientKeyStoreFile), clientKeyStorePwd.toCharArray());

KeyStore serverTrustKeyStore = KeyStore.getInstance("JKS");

serverTrustKeyStore.load(new FileInputStream(serverTrustKeyStoreFile), serverTrustKeyStorePwd.toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

kmf.init(serverKeyStore, catServerKeyPwd.toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(serverTrustKeyStore);

SSLContext sslContext = SSLContext.getInstance("TLS");

sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());

HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

URL url = new URL(strUrl);

HttpURLConnection httpURLConnection = null;

if(proxy==null)

{

httpURLConnection = (HttpURLConnection) url.openConnection();

}else{

httpURLConnection = (HttpURLConnection) url.openConnection(proxy);

}

httpURLConnection.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");

return httpURLConnection;

}

/**

* 用于单向认证，客户端使用

* server侧只需要自己的keystore文件，不需要truststore文件

* client侧不需要自己的keystore文件，只需要truststore文件（其中包含server的公钥）。

* 此外server侧需要在创建SSLServerSocket之后设定不需要客户端证书：setNeedClientAuth(false)

* @param strUrl

* @param proxy

* @return

* @throws KeyStoreException

* @throws NoSuchAlgorithmException

* @throws CertificateException

* @throws FileNotFoundException

* @throws IOException

* @throws UnrecoverableKeyException

* @throws KeyManagementException

public static HttpURLConnection connectProxyTrustCA2(String strUrl,Proxy proxy) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException

{

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {

@Override

public boolean verify(String s, SSLSession sslsession) {

return true;

}

});

String serverTrustKeyStoreFile = "D:/JDK8Home/tianwt/sslClientTrust";

String serverTrustKeyStorePwd = "123456";

KeyStore serverTrustKeyStore = KeyStore.getInstance("JKS");

serverTrustKeyStore.load(new FileInputStream(serverTrustKeyStoreFile), serverTrustKeyStorePwd.toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(serverTrustKeyStore);

SSLContext sslContext = SSLContext.getInstance("TLS");

sslContext.init(null, tmf.getTrustManagers(), null);

HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

URL url = new URL(strUrl);

HttpURLConnection httpURLConnection = null;

if(proxy==null)

{

httpURLConnection = (HttpURLConnection) url.openConnection();

}else{

httpURLConnection = (HttpURLConnection) url.openConnection(proxy);

}

httpURLConnection.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");

return httpURLConnection;

}

/**

* 用于双向认证

* @param socketClient 是否产生socket

* @return

* @throws KeyStoreException

* @throws NoSuchAlgorithmException

* @throws CertificateException

* @throws FileNotFoundException

* @throws IOException

* @throws UnrecoverableKeyException

* @throws KeyManagementException

public SSLSocket createTlsConnect(Socket socketClient) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException

{

String protocol = "TLS";

String serverKey = "D:/JDK8Home/tianwt/sslServerKeys";

String serverTrust = "D:/JDK8Home/tianwt/sslServerTrust";

String serverKeyPwd = "123456"; //私钥密码

String serverTrustPwd = "123456"; //信任证书密码

String serverKeyStorePwd = "123456"; // keystore存储密码

KeyStore keyStore = KeyStore.getInstance("JKS");

keyStore.load(new FileInputStream(serverKey),serverKeyPwd.toCharArray());

KeyStore tks = KeyStore.getInstance("JKS");

tks.load(new FileInputStream(serverTrust), serverTrustPwd.toCharArray());

KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

km.init(keyStore, serverKeyStorePwd.toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(tks);

SSLContext sslContext = SSLContext.getInstance(protocol);

sslContext.init(km.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom()); //第一项是用来做服务器验证的

SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

SSLSocket clientSSLSocket = (SSLSocket) sslSocketFactory.createSocket(socketClient,socketClient.getInetAddress().getHostAddress(),socketClient.getPort(), true);

clientSSLSocket.setNeedClientAuth(false);

clientSSLSocket.setUseClientMode(false);

return clientSSLSocket;

}

/**

* 用于单向认证

* server侧只需要自己的keystore文件，不需要truststore文件

* client侧不需要自己的keystore文件，只需要truststore文件（其中包含server的公钥）。

* 此外server侧需要在创建SSLServerSocket之后设定不需要客户端证书：setNeedClientAuth(false)

* @param socketClient

* @return

* @throws KeyStoreException

* @throws NoSuchAlgorithmException

* @throws CertificateException

* @throws FileNotFoundException

* @throws IOException

* @throws UnrecoverableKeyException

* @throws KeyManagementException

public static SSLSocket createTlsConnect2(Socket socketClient) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException

{

String protocol = "TLS";

String serverKey = "D:/JDK8Home/tianwt/sslServerKeys";

String serverKeyPwd = "123456"; //私钥密码

String serverKeyStorePwd = "123456"; // keystore存储密码

KeyStore keyStore = KeyStore.getInstance("JKS");

keyStore.load(new FileInputStream(serverKey),serverKeyPwd.toCharArray());

KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

km.init(keyStore, serverKeyStorePwd.toCharArray());

SSLContext sslContext = SSLContext.getInstance(protocol);

sslContext.init(km.getKeyManagers(), null, new SecureRandom()); //第一项是用来做服务器验证的

SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

SSLSocket clientSSLSocket = (SSLSocket) sslSocketFactory.createSocket(socketClient,socketClient.getInetAddress().getHostAddress(),socketClient.getPort(), true);

clientSSLSocket.setNeedClientAuth(false);

clientSSLSocket.setUseClientMode(false);

return clientSSLSocket;

}

/**

* 将普通的socket转为sslsocket，客户端和服务端均可使用

* 服务端使用的时候是把普通的socket转为sslsocket,并且作为服务器套接字（注意：指的不是ServerSocket,当然ServerSocket的本质也是普通socket）

* @param remoteHost

* @param isClient

* @return

public static SSLSocket getTlsTrustAllSocket(Socket remoteHost,boolean isClient)

{

SSLSocket remoteSSLSocket = null;

SSLContext context = SSLTrustManager.getTrustAllSSLContext(isClient);

try {

remoteSSLSocket = (SSLSocket) context.getSocketFactory().createSocket(remoteHost, remoteHost.getInetAddress().getHostName(),remoteHost.getPort(), true);

remoteSSLSocket.setTcpNoDelay(true);

remoteSSLSocket.setSoTimeout(5000);

remoteSSLSocket.setNeedClientAuth(false); //这里设置为true时会强制握手

remoteSSLSocket.setUseClientMode(isClient); //注意服务器和客户的角色选择

} catch (IOException e) {

e.printStackTrace();

}

return remoteSSLSocket;

}

/**

* 用于客户端，通过所有证书验证

* @param isClient 是否生成客户端SSLContext，否则生成服务端SSLContext

* @return

public static SSLContext getTrustAllSSLContext(boolean isClient)

{

String protocol = "TLS";

javax.net.ssl.SSLContext sc = null;

try {

javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];

javax.net.ssl.TrustManager tm = new SSLTrustManager();

trustAllCerts[0] = tm;

sc = javax.net.ssl.SSLContext

.getInstance(protocol);

if(isClient)

{

sc.init(null, trustAllCerts, null); //作为客户端使用

}

else

{

String serverKeyPath = "D:/JDK8Home/tianwt/sslServerKeys";

String serverKeyPwd = "123456"; //私钥密码

String serverKeyStorePwd = "123456"; // keystore存储密码

KeyStore keyStore = KeyStore.getInstance("JKS");

keyStore.load(new FileInputStream(serverKeyPath),serverKeyPwd.toCharArray());

KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

km.init(keyStore, serverKeyStorePwd.toCharArray());

KeyManager[] keyManagers = km.getKeyManagers();

keyManagers = Arrays.copyOf(keyManagers, keyManagers.length+1);

sc.init(keyManagers, null, new SecureRandom());

}

} catch (KeyManagementException e) {

e.printStackTrace();

} catch (NoSuchAlgorithmException e) {

e.printStackTrace();

} catch (UnrecoverableKeyException e) {

e.printStackTrace();

} catch (KeyStoreException e) {

e.printStackTrace();

} catch (CertificateException e) {

e.printStackTrace();

} catch (FileNotFoundException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

}

return sc;

}

参考链接

Java 实现TLS/SSL证书的自动安装校验

oKHttp 3.0忽略/检查https证书

最近公司项目需要，网络协议支持HTTPS，之前接触不多，所以这次想总结一下https在Android开发中的相关内容

一、HTTPS 证书

对于HTTPS和证书的概念，大家可以自行搜索百度。

证书分两种：

1、花钱向认证机构购买的证书。服务器如果使用了此类证书的话，那对于移动端来说，直接可以忽略此证书，直接用https访问。与之不同的是ios内置了很多信任的证书，所以他们不需要做任何操作

2、另一种是自己制作的证书，使用此类证书的话是不受信任的，也不需要花钱，所以需要我们在代码中将此类证书设置为信任证书

二、如何忽略证书

注意，下面的操作在线上环境强烈不建议采纳，只能是在测试环境中解决测试问题的时候才能使用。

1、服务器如果加上了证书的话，那么你们的网络请求的url将从http:xx改成https:xx,如果你直接也将http改成https的话而什么也不做的话，客户端将直接报错，如图：

继续阅读oKHttp 3.0忽略/检查https证书

Android：调整线程调用栈大小

在常规的Android开发过程中，随着业务逻辑越来越复杂，调用栈可能会越来越深，难免会遇到调用栈越界的情况，这种情况下，就需要调整线程栈的大小。

当然，主要还是增大线程栈大小，尤其是存在jni调用的情况下，C++层的栈开销有时候是非常恐怖的，比如说递归调用。

这就需要分三种情况，主线程，自定义线程池，AsyncTask。

主线程的线程栈是没有办法进行修改的，这个没办法处理。

针对线程池的情况，需要在创建线程的时候，调用构造函数

public Thread(@RecentlyNullable ThreadGroup group, @RecentlyNullable Runnable target, @RecentlyNonNull String name, long stackSize)

1	public Thread(@RecentlyNullable ThreadGroup group, @RecentlyNullable Runnable target, @RecentlyNonNull String name, long stackSize)

通过设置stackSize参数来解决问题。

参考代码如下：

import android.support.annotation.NonNull;
import android.util.Log;

import java.util.concurrent.ThreadFactory;

/**
 * A ThreadFactory implementation which create new threads for the thread pool.
 */
public class SimpleThreadFactory implements ThreadFactory {
    private static final String TAG = "SimpleThreadFactory";
    private final static ThreadGroup group = new ThreadGroup("SimpleThreadFactoryGroup");
    // 工作线程堆栈大小调整为2MB
    private final static int workerStackSize = 2 * 1024 * 1024;

    @Override
    public Thread newThread(@NonNull final Runnable runnable) {
        final Thread thread = new Thread(group, runnable, "PoolWorkerThread", workerStackSize);
        // A exception handler is created to log the exception from threads
        thread.setUncaughtExceptionHandler(new Thread.UncaughtExceptionHandler() {
            @Override
            public void uncaughtException(@NonNull Thread thread, @NonNull Throwable ex) {
                Log.e(TAG, thread.getName() + " encountered an error: " + ex.getMessage());
            }
        });

        return thread;
    }
}

import android.support.annotation.NonNull;

import android.util.Log;

import java.util.concurrent.ThreadFactory;

/**

* A ThreadFactory implementation which create new threads for the thread pool.

public class SimpleThreadFactory implements ThreadFactory {

private static final String TAG = "SimpleThreadFactory";

private final static ThreadGroup group = new ThreadGroup("SimpleThreadFactoryGroup");

// 工作线程堆栈大小调整为2MB

private final static int workerStackSize = 2 * 1024 * 1024;

@Override

public Thread newThread(@NonNull final Runnable runnable) {

final Thread thread = new Thread(group, runnable, "PoolWorkerThread", workerStackSize);

// A exception handler is created to log the exception from threads

thread.setUncaughtExceptionHandler(new Thread.UncaughtExceptionHandler() {

@Override

public void uncaughtException(@NonNull Thread thread, @NonNull Throwable ex) {

Log.e(TAG, thread.getName() + " encountered an error: " + ex.getMessage());

}

});

return thread;

}

import android.support.annotation.AnyThread;
import android.support.annotation.NonNull;
import android.support.annotation.Nullable;
import android.util.Log;

import java.util.concurrent.BlockingQueue;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Future;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;

/**
 * A Singleton thread pool
 */
public class ThreadPool {
    private static final String TAG = "ThreadPool";
    private static final int KEEP_ALIVE_TIME = 1;
    private static volatile ThreadPool sInstance = null;
    private static int NUMBER_OF_CORES = Runtime.getRuntime().availableProcessors();
    private final ExecutorService mExecutor;
    private final BlockingQueue<Runnable> mTaskQueue;

    // Made constructor private to avoid the class being initiated from outside
    private ThreadPool() {
        // initialize a queue for the thread pool. New tasks will be added to this queue
        mTaskQueue = new LinkedBlockingQueue<>();

        Log.d(TAG, "Available cores: " + NUMBER_OF_CORES);

        mExecutor = new ThreadPoolExecutor(NUMBER_OF_CORES, NUMBER_OF_CORES * 2, KEEP_ALIVE_TIME, TimeUnit.SECONDS, mTaskQueue, new SimpleThreadFactory());
    }

    @NonNull
    @AnyThread
    public static ThreadPool getInstance() {
        if (null == sInstance) {
            synchronized (ThreadPool.class) {
                if (null == sInstance) {
                    sInstance = new ThreadPool();
                }
            }
        }
        return sInstance;
    }

    private boolean isThreadPoolAlive() {
        return (null != mExecutor) && !mExecutor.isTerminated() && !mExecutor.isShutdown();
    }

    @Nullable
    @AnyThread
    public <T> Future<T> submitCallable(@NonNull final Callable<T> c) {
        synchronized (this) {
            if (isThreadPoolAlive()) {
                return mExecutor.submit(c);
            }
        }
        return null;
    }

    @Nullable
    @AnyThread
    public Future<?> submitRunnable(@NonNull final Runnable r) {
        synchronized (this) {
            if (isThreadPoolAlive()) {
                return mExecutor.submit(r);
            }
        }
        return null;
    }

    /* Remove all tasks in the queue and stop all running threads
     */
    @AnyThread
    public void shutdownNow() {
        synchronized (this) {
            mTaskQueue.clear();
            if ((!mExecutor.isShutdown()) && (!mExecutor.isTerminated())) {
                mExecutor.shutdownNow();
            }
        }
    }
}

import android.support.annotation.AnyThread;

import android.support.annotation.NonNull;

import android.support.annotation.Nullable;

import android.util.Log;

import java.util.concurrent.BlockingQueue;

import java.util.concurrent.Callable;

import java.util.concurrent.ExecutorService;

import java.util.concurrent.Future;

import java.util.concurrent.LinkedBlockingQueue;

import java.util.concurrent.ThreadPoolExecutor;

import java.util.concurrent.TimeUnit;

/**

* A Singleton thread pool

public class ThreadPool {

private static final String TAG = "ThreadPool";

private static final int KEEP_ALIVE_TIME = 1;

private static volatile ThreadPool sInstance = null;

private static int NUMBER_OF_CORES = Runtime.getRuntime().availableProcessors();

private final ExecutorService mExecutor;

private final BlockingQueue<Runnable> mTaskQueue;

// Made constructor private to avoid the class being initiated from outside

private ThreadPool() {

// initialize a queue for the thread pool. New tasks will be added to this queue

mTaskQueue = new LinkedBlockingQueue<>();

Log.d(TAG, "Available cores: " + NUMBER_OF_CORES);

mExecutor = new ThreadPoolExecutor(NUMBER_OF_CORES, NUMBER_OF_CORES * 2, KEEP_ALIVE_TIME, TimeUnit.SECONDS, mTaskQueue, new SimpleThreadFactory());

}

@NonNull

@AnyThread

public static ThreadPool getInstance() {

if (null == sInstance) {

synchronized (ThreadPool.class) {

if (null == sInstance) {

sInstance = new ThreadPool();

}

return sInstance;

}

private boolean isThreadPoolAlive() {

return (null != mExecutor) && !mExecutor.isTerminated() && !mExecutor.isShutdown();

}

@Nullable

@AnyThread

public <T> Future<T> submitCallable(@NonNull final Callable<T> c) {

synchronized (this) {

if (isThreadPoolAlive()) {

return mExecutor.submit(c);

}

return null;

}

@Nullable

@AnyThread

public Future<?> submitRunnable(@NonNull final Runnable r) {

synchronized (this) {

if (isThreadPoolAlive()) {

return mExecutor.submit(r);

}

return null;

}

/* Remove all tasks in the queue and stop all running threads

@AnyThread

public void shutdownNow() {

synchronized (this) {

mTaskQueue.clear();

if ((!mExecutor.isShutdown()) && (!mExecutor.isTerminated())) {

mExecutor.shutdownNow();

}

针对AsyncTask的情况，一般是通过调用

public final AsyncTask<Params, Progress, Result> executeOnExecutor(Executor exec, Params... params)

1	public final AsyncTask<Params, Progress, Result> executeOnExecutor(Executor exec, Params... params)

指定线程池来运行，在特定的线程池中调整线程栈的大小。

参考代码如下：

import android.os.AsyncTask;
import android.support.annotation.AnyThread;
import android.support.annotation.NonNull;
import android.util.Log;

import java.util.concurrent.BlockingQueue;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;

public abstract class AsyncTaskEx<Params, Progress, Result> extends AsyncTask<Params, Progress, Result> {

    private static final String TAG = "AsyncTaskEx";
    private static final int KEEP_ALIVE_TIME = 1;
    private static volatile ThreadPool sInstance = null;
    private static int NUMBER_OF_CORES = Runtime.getRuntime().availableProcessors();
    private final ExecutorService mExecutor;
    private final BlockingQueue<Runnable> mTaskQueue;

    public AsyncTaskEx() {
        // initialize a queue for the thread pool. New tasks will be added to this queue
        mTaskQueue = new LinkedBlockingQueue<>();

        Log.d(TAG, "Available cores: " + NUMBER_OF_CORES);

        mExecutor = new ThreadPoolExecutor(NUMBER_OF_CORES, NUMBER_OF_CORES * 2, KEEP_ALIVE_TIME, TimeUnit.SECONDS, mTaskQueue, new SimpleThreadFactory());
    }

    public AsyncTask<Params, Progress, Result> executeAsync(@NonNull final Params... params) {
        return super.executeOnExecutor(mExecutor, params);
    }

    /* Remove all tasks in the queue and stop all running threads
     */
    @AnyThread
    public void shutdownNow() {
        synchronized (this) {
            mTaskQueue.clear();
            if ((!mExecutor.isShutdown()) && (!mExecutor.isTerminated())) {
                mExecutor.shutdownNow();
            }
        }
    }
}

import android.os.AsyncTask;

import android.support.annotation.AnyThread;

import android.support.annotation.NonNull;

import android.util.Log;

import java.util.concurrent.BlockingQueue;

import java.util.concurrent.ExecutorService;

import java.util.concurrent.LinkedBlockingQueue;

import java.util.concurrent.ThreadPoolExecutor;

import java.util.concurrent.TimeUnit;

public abstract class AsyncTaskEx<Params, Progress, Result> extends AsyncTask<Params, Progress, Result> {

private static final String TAG = "AsyncTaskEx";

private static final int KEEP_ALIVE_TIME = 1;

private static volatile ThreadPool sInstance = null;

private static int NUMBER_OF_CORES = Runtime.getRuntime().availableProcessors();

private final ExecutorService mExecutor;

private final BlockingQueue<Runnable> mTaskQueue;

public AsyncTaskEx() {

// initialize a queue for the thread pool. New tasks will be added to this queue

mTaskQueue = new LinkedBlockingQueue<>();

Log.d(TAG, "Available cores: " + NUMBER_OF_CORES);

mExecutor = new ThreadPoolExecutor(NUMBER_OF_CORES, NUMBER_OF_CORES * 2, KEEP_ALIVE_TIME, TimeUnit.SECONDS, mTaskQueue, new SimpleThreadFactory());

}

public AsyncTask<Params, Progress, Result> executeAsync(@NonNull final Params... params) {

return super.executeOnExecutor(mExecutor, params);

}

/* Remove all tasks in the queue and stop all running threads

@AnyThread

public void shutdownNow() {

synchronized (this) {

mTaskQueue.clear();

if ((!mExecutor.isShutdown()) && (!mExecutor.isTerminated())) {

mExecutor.shutdownNow();

}

参考链接

OpenSSL命令行校验SSL/TLS连接检查HTTPS证书配置是否正常

最近服务器上配置了HTTPS之后，发现证书无法通过验证，客户端报告异常

java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

1	java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

证书里面内容是正常的，并且通过浏览器是可以正常访问的，但是Android APP使用okhttp访问的时候就不能正常访问了。同样IOS应用访问也是异常的。

一脸懵逼，不清楚哪一步出现了问题。

于是想追踪一下正常的证书验证流程，搜索了一下发现如下命令：

# on a successful verification
# 注意需要指定端口，如果是https协议，默认端口也需要指定端口443
$ openssl s_client -quiet -connect jvt.me:443
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = jamietanna.co.uk
verify return:1

# on an unsuccessful verification
$ openssl s_client -quiet -connect keystore.openbanking.org.uk:443
depth=2 C = GB, O = OpenBanking, CN = OpenBanking Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 C = GB, O = OpenBanking, CN = OpenBanking Root CA
verify return:1
depth=1 C = GB, O = OpenBanking, CN = OpenBanking Issuing CA
verify return:1
depth=0 C = GB, O = OpenBanking, OU = Open Banking Directory, CN = keystore
verify return:1
read:errno=104

# for an expired cert
$ openssl s_client -quiet -connect expired.badssl.com:443
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.badssl.com
verify error:num=10:certificate has expired
notAfter=Apr 12 23:59:59 2015 GMT
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.badssl.com
notAfter=Apr 12 23:59:59 2015 GMT
verify return:1

# on a successful verification

# 注意需要指定端口，如果是https协议，默认端口也需要指定端口443

$ openssl s_client -quiet -connect jvt.me:443

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

verify return:1

depth=0 CN = jamietanna.co.uk

verify return:1

# on an unsuccessful verification

$ openssl s_client -quiet -connect keystore.openbanking.org.uk:443

depth=2 C = GB, O = OpenBanking, CN = OpenBanking Root CA

verify error:num=19:self signed certificate in certificate chain

verify return:1

depth=2 C = GB, O = OpenBanking, CN = OpenBanking Root CA

verify return:1

depth=1 C = GB, O = OpenBanking, CN = OpenBanking Issuing CA

verify return:1

depth=0 C = GB, O = OpenBanking, OU = Open Banking Directory, CN = keystore

verify return:1

read:errno=104

# for an expired cert

$ openssl s_client -quiet -connect expired.badssl.com:443

depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA

verify return:1

depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.badssl.com

verify error:num=10:certificate has expired

notAfter=Apr 12 23:59:59 2015 GMT

verify return:1

depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.badssl.com

notAfter=Apr 12 23:59:59 2015 GMT

verify return:1

目前校验过程中发现错误信息如下：

# 注意需要指定端口，如果是https协议，默认端口也需要指定端口443
$ openssl s_client -quiet -connect xxx.xxxxxx.com.cn:38080
depth=0 C = CN, ST = xxx, L = xxx, O = xxxx, OU = IT, CN = *.xxxxxx.com.cn
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CN, ST = xxx, L = xxx, O = xxxx, OU = IT, CN = *.xxxxxx.com.cn
verify error:num=21:unable to verify the first certificate
verify return:1

# 注意需要指定端口，如果是https协议，默认端口也需要指定端口443

$ openssl s_client -quiet -connect xxx.xxxxxx.com.cn:38080

depth=0 C = CN, ST = xxx, L = xxx, O = xxxx, OU = IT, CN = *.xxxxxx.com.cn

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = CN, ST = xxx, L = xxx, O = xxxx, OU = IT, CN = *.xxxxxx.com.cn

verify error:num=21:unable to verify the first certificate

verify return:1

经过相关的分析，发现这个问题的原因在于证书签发机构在签发证书的时候，下发了两个证书，其中一个是根证书，一个是中级证书，但是在配置的时候，没有配置相关的中级证书。导致证书校验异常。

增加中级证书之后，校验恢复正常。

参考链接

时间流隐私协议

时间流尊重并保护所有使用服务用户的个人隐私权。为了给您提供更准确、更有个性化的服务，时间流会按照本隐私权政策的规定使用和披露您的个人信息。但时间流将以高度的勤勉、审慎义务对待这些信息。除本隐私权政策另有规定外，在未征得您事先许可的情况下，时间流不会将这些信息对外披露或向第三方提供。时间流会不时更新本隐私权政策。您在同意本应用服务使用协议之时，即视为您已经同意本隐私权政策全部内容。本隐私权政策属于本应用服务使用协议不可分割的一部分。

适用范围

(a) 在您使用本应用网络服务，或访问本应用平台网页时，本应用自动接收并记录的您的浏览器和计算机上的信息，包括但不限于您的IP地址、浏览器的类型、使用的语言、访问日期和时间、软硬件特征信息及您需求的网页记录等数据；

(b) 本应用通过合法途径从商业伙伴处取得的用户个人数据。

您了解并同意，以下信息不适用本隐私权政策：

(a) 您在使用本应用平台提供的搜索服务时输入的关键字信息；

(b) 本应用收集到的您在本应用发布的有关信息数据，包括但不限于参与活动、成交信息及评价详情；

信息使用

(a)本应用不会向任何无关第三方提供、出售、出租、分享或交易您的个人信息，除非事先得到您的许可，或该第三方和本应用（含本应用关联公司）单独或共同为您提供服务，且在该服务结束后，其将被禁止访问包括其以前能够访问的所有这些资料。

(b) 本应用亦不允许任何第三方以任何手段收集、编辑、出售或者无偿传播您的个人信息。任何本应用平台用户如从事上述活动，一经发现，本应用有权立即终止与该用户的服务协议。

信息披露

在如下情况下，本应用将依据您的个人意愿或法律的规定全部或部分的披露您的个人信息：

(a) 经您事先同意，向第三方披露；

(b)为提供您所要求的产品和服务，而必须和第三方分享您的个人信息；

(d) 如您出现违反中国有关法律、法规或者本应用服务协议或相关规则的情况，需要向第三方披露；

(e) 如您是适格的知识产权投诉人并已提起投诉，应被投诉人要求，向被投诉人披露，以便双方处理可能的权利纠纷；

(f) 在本应用平台上创建的某一交易中，如交易任何一方履行或部分履行了交易义务并提出信息披露请求的，本应用有权决定向该用户提供其交易对方的联络方式等必要信息，以促成交易的完成或纠纷的解决。

(g) 其它本应用根据法律、法规或者网站政策认为合适的披露。

信息存储和交换

本应用收集的有关您的信息和资料将保存在本应用及（或）其关联公司的服务器上，这些信息和资料可能传送至您所在国家、地区或本应用收集信息和资料所在地的境外并在境外被访问、存储和展示。

Cookie的使用

(a) 在您未拒绝接受cookies的情况下，本应用会在您的计算机上设定或取用cookies ，以便您能登录或使用依赖于cookies的本应用平台服务或功能。本应用使用cookies可为您提供更加周到的个性化服务，包括推广服务。

(b) 您有权选择接受或拒绝接受cookies。您可以通过修改浏览器设置的方式拒绝接受cookies。但如果您选择拒绝接受cookies，则您可能无法登录或使用依赖于cookies的本应用网络服务或功能。

信息安全

(a) 本应用帐号均有安全保护功能，请妥善保管您的用户名及密码信息。本应用将通过对用户密码进行加密等安全措施确保您的信息不丢失，不被滥用和变造。尽管有前述安全措施，但同时也请您注意在信息网络上不存在“完善的安全措施”。

(b) 在使用本应用网络服务进行网上交易时，您不可避免的要向交易对方或潜在的交易对
7.本隐私政策的更改

(a)如果决定更改隐私政策，我们会在本政策中、本公司网站中以及我们认为适当的位置发布这些更改，以便您了解我们如何收集、使用您的个人信息，哪些人可以访问这些信息，以及在什么情况下我们会透露这些信息。

(b)本公司保留随时修改本政策的权利，因此请经常查看。如对本政策作出重大更改，本公司会通过网站通知的形式告知。

为防止向第三方披露自己的个人信息，如联络方式或者邮政地址。请您妥善保护自己的个人信息，仅在必要的情形下向他人提供。如您发现自己的个人信息泄密，尤其是本应用用户名及密码发生泄露，请您立即联络本应用客服，以便本应用采取相应措施。

2025 年 6 月
一	二	三	四	五	六	日
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30